Security Researcher Outs 5 New Java Zero-Day Flaws

A security firm with a penchant for finding Java flaws, has uncovered five Java Zero-day vulnerabilities and released proof-of-concept code for exploiting them.

Poland-based Security Explorations, which has been in a dispute with Oracle over the vendor's denial of a recent finding, said Monday that it discovered five additional flaws in Java SE. Two of the vulnerabilities could be used by an attacker to execute code on a victim's machine, the firm said. Security researcher and company CEO Adam Gowdiak said the two security issues combined together can bypass the sandbox environment in Java SE 7 Update 15.

"Our vulnerability report along with a working Proof of Concept code was submitted to Oracle today," wrote Gowdiak in a security advisory posted on the Full Disclosure Mailing list.

Gowdiak said the attack breaks security checks recently added by Oracle to Java SE. There were also some code fragments missing proper security checks, he said. Gowdiak warned that some of the flaws could affect earlier versions of Java SE, but currently the findings have been successfully tested on Java SE 7 only.

Oracle has not publicly acknowledged any of the findings. A company spokesperson responded to an inquiry from CRN saying it was looking into the matter.

Last week, researchers at security firm FireEye said it detected a brand-new Java Zero-day vulnerability that was used to attack multiple customers. Successful exploitation enables an attacker to download a remote access Trojan onto a victim's machine, FireEye said in a blog post.

"We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery," the company said.

FireEye is urging users to disable Java in the browser until a patch is released. As a workaround, users can set their Java security settings to high to prevent Java applets outside of the organization from running.

Java has come under increased pressure in recent months following a documented rise in attacks targeting the ubiquitous programming language. The company issued an emergency update in February following ongoing attacks targeting a known Java Zero-day flaw.

Eric Maurice, director of software assurance at Oracle, said the company was speeding up its patching cycle to more immediately address issues. The "intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers," Maurice wrote in a blog entry last month. The next regularly scheduled security update for Java SE is slated for April 16.